Hugging Face's logo

Spaces:
capta1n
/
project8
Running

App Files Community
project8 / index.html
capta1n's picture
capta1n
Add 2 files
2860e80 verified
raw
history blame contribute delete
64.5 kB
 <!DOCTYPE html>
<html lang="zh-CN">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>AI SDL 数字分身 - 风险项目详情</title>
<script src="https://cdn.tailwindcss.com"></script>
<script src="https://cdn.jsdelivr.net/npm/mermaid/dist/mermaid.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.7.0/highlight.min.js"></script>
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.7.0/styles/atom-one-dark.min.css">
<style>
.risk-critical { background-color: #fee2e2; border-left: 4px solid #ef4444; }
.risk-high { background-color: #ffedd5; border-left: 4px solid #f97316; }
.risk-medium { background-color: #fef9c3; border-left: 4px solid #eab308; }
.risk-low { background-color: #ecfdf5; border-left: 4px solid #10b981; }
.content-container {
display: grid;
grid-template-columns: 1fr 1fr;
gap: 1rem;
height: calc(100vh - 200px);
overflow: hidden;
}
.content-panel {
overflow-y: auto;
padding: 1rem;
border: 1px solid #e5e7eb;
border-radius: 0.5rem;
height: 100%;
}
.code-block {
position: relative;
}
.code-block pre {
margin: 0;
border-radius: 0.375rem;
}
.vulnerable-line {
background-color: #fee2e2;
display: inline-block;
width: 100%;
}
.fix-suggestion {
position: absolute;
top: 100%;
left: 0;
width: 100%;
background: white;
border: 1px solid #e5e7eb;
border-radius: 0.375rem;
padding: 1rem;
box-shadow: 0 4px 6px -1px rgba(0, 0, 0, 0.1);
z-index: 10;
display: none;
}
.mermaid {
width: 100%;
min-height: 300px;
background: white;
padding: 1rem;
border-radius: 0.5rem;
border: 1px solid #e5e7eb;
margin: 1rem 0;
}
.risk-marker {
fill: #ef4444;
stroke: #ef4444;
}
.highlight-risk {
background-color: #fee2e2;
padding: 0.1rem 0.2rem;
border-radius: 0.2rem;
}
.tab-content {
display: none;
}
.tab-content.active {
display: block;
}
.nav-tabs .active {
border-bottom: 2px solid #3b82f6;
color: #3b82f6;
font-weight: 600;
}
</style>
</head>
<body class="bg-gray-50">
<div class="container mx-auto px-4 py-8">
<!-- Header -->
<div class="flex justify-between items-center mb-8">
<div>
<h1 class="text-3xl font-bold text-gray-800">AI SDL 数字分身</h1>
<p class="text-gray-600">风险项目详情分析</p>
</div>
<div class="flex items-center space-x-4">
<div class="relative">
<input type="text" placeholder="搜索项目..." class="pl-10 pr-4 py-2 border rounded-lg focus:outline-none focus:ring-2 focus:ring-blue-500">
<svg class="w-5 h-5 text-gray-400 absolute left-3 top-2.5" fill="none" stroke="currentColor" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M21 21l-6-6m2-5a7 7 0 11-14 0 7 7 0 0114 0z"></path>
</svg>
</div>
<button class="bg-blue-600 text-white px-4 py-2 rounded-lg hover:bg-blue-700 transition-colors">
返回项目列表
</button>
</div>
</div>
<!-- Project Overview -->
<div class="bg-white rounded-xl shadow-md p-6 mb-8">
<div class="flex justify-between items-start mb-6">
<div>
<h2 class="text-2xl font-bold text-gray-800">项目名称: 支付宝国补项目</h2>
<div class="flex items-center mt-2">
<span class="bg-red-100 text-red-800 text-xs font-medium px-2.5 py-0.5 rounded-full">高风险</span>
<span class="ml-2 text-gray-600">最后更新: 2023-06-15 14:30</span>
</div>
</div>
<div class="flex space-x-2">
<button class="flex items-center text-blue-600 hover:text-blue-800">
<svg class="w-5 h-5 mr-1" fill="none" stroke="currentColor" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M15.172 7l-6.586 6.586a2 2 0 102.828 2.828l6.414-6.586a4 4 0 00-5.656-5.656l-6.415 6.585a6 6 0 108.486 8.486L20.5 13"></path>
</svg>
导出报告
</button>
<button class="flex items-center text-blue-600 hover:text-blue-800">
<svg class="w-5 h-5 mr-1" fill="none" stroke="currentColor" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 5v.01M12 12v.01M12 19v.01M12 6a1 1 0 110-2 1 1 0 010 2zm0 7a1 1 0 110-2 1 1 0 010 2zm0 7a1 1 0 110-2 1 1 0 010 2z"></path>
</svg>
更多操作
</button>
</div>
</div>
<div class="grid grid-cols-3 gap-6 mb-6">
<div class="bg-gray-50 p-4 rounded-lg">
<h3 class="font-medium text-gray-700 mb-2">项目参与人</h3>
<div class="flex flex-wrap gap-2">
<span class="bg-blue-100 text-blue-800 text-xs font-medium px-2.5 py-0.5 rounded">形知</span>
<span class="bg-blue-100 text-blue-800 text-xs font-medium px-2.5 py-0.5 rounded">铸梦</span>
<span class="bg-blue-100 text-blue-800 text-xs font-medium px-2.5 py-0.5 rounded">洞悉</span>
<span class="bg-blue-100 text-blue-800 text-xs font-medium px-2.5 py-0.5 rounded">隐迹</span>
<span class="bg-blue-100 text-blue-800 text-xs font-medium px-2.5 py-0.5 rounded">晨熙</span>
</div>
</div>
<div class="bg-gray-50 p-4 rounded-lg">
<h3 class="font-medium text-gray-700 mb-2">风险状态</h3>
<div class="flex items-center">
<div class="w-full bg-gray-200 rounded-full h-2.5">
<div class="bg-red-600 h-2.5 rounded-full" style="width: 65%"></div>
</div>
<span class="ml-2 text-sm font-medium text-gray-700">65% 修复</span>
</div>
</div>
<div class="bg-gray-50 p-4 rounded-lg">
<h3 class="font-medium text-gray-700 mb-2">风险分布</h3>
<div class="flex space-x-4">
<div class="flex items-center">
<div class="w-3 h-3 rounded-full bg-red-500 mr-1"></div>
<span class="text-sm">需求 2</span>
</div>
<div class="flex items-center">
<div class="w-3 h-3 rounded-full bg-orange-500 mr-1"></div>
<span class="text-sm">代码 3</span>
</div>
<div class="flex items-center">
<div class="w-3 h-3 rounded-full bg-yellow-500 mr-1"></div>
<span class="text-sm">测试 1</span>
</div>
</div>
</div>
</div>
<div class="mb-6">
<h3 class="font-medium text-gray-700 mb-2">风险概述</h3>
<div class="space-y-3">
<div class="risk-critical p-3 rounded">
<div class="flex justify-between items-center">
<span class="font-medium">需求环节: 越权访问风险</span>
<span class="text-sm bg-red-600 text-white px-2 py-0.5 rounded-full">未修复</span>
</div>
<p class="text-sm mt-1">用户权限校验不足,可能导致越权访问敏感数据</p>
</div>
<div class="risk-high p-3 rounded">
<div class="flex justify-between items-center">
<span class="font-medium">代码环节: SQL注入风险</span>
<span class="text-sm bg-orange-500 text-white px-2 py-0.5 rounded-full">修复中</span>
</div>
<p class="text-sm mt-1">OrderService.java 中直接拼接SQL语句,存在注入风险</p>
</div>
<div class="risk-medium p-3 rounded">
<div class="flex justify-between items-center">
<span class="font-medium">安全测试: 水平越权</span>
<span class="text-sm bg-yellow-500 text-white px-2 py-0.5 rounded-full">已修复</span>
</div>
<p class="text-sm mt-1">通过修改orderid参数可访问他人订单信息</p>
</div>
</div>
</div>
</div>
<!-- Navigation Tabs -->
<div class="border-b border-gray-200 mb-6">
<nav class="flex space-x-8 nav-tabs" aria-label="Tabs">
<button onclick="switchTab('requirements')" class="py-4 px-1 active inline-flex items-center text-sm font-medium">
<svg class="w-5 h-5 mr-2" fill="none" stroke="currentColor" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M9 12h6m-6 4h6m2 5H7a2 2 0 01-2-2V5a2 2 0 012-2h5.586a1 1 0 01.707.293l5.414 5.414a1 1 0 01.293.707V19a2 2 0 01-2 2z"></path>
</svg>
需求分析
</button>
<button onclick="switchTab('code')" class="py-4 px-1 inline-flex items-center text-sm font-medium">
<svg class="w-5 h-5 mr-2" fill="none" stroke="currentColor" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M10 20l4-16m4 4l4 4-4 4M6 16l-4-4 4-4"></path>
</svg>
代码分析
</button>
<button onclick="switchTab('testing')" class="py-4 px-1 inline-flex items-center text-sm font-medium">
<svg class="w-5 h-5 mr-2" fill="none" stroke="currentColor" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M19.428 15.428a2 2 0 00-1.022-.547l-2.387-.477a6 6 0 00-3.86.494l-.318.158a6 6 0 01-3.86.494L6.05 15.21a2 2 0 00-1.806.547M8 4h8l-1 1v5.172a2 2 0 00.586 1.414l5 5c1.26 1.26.367 3.414-1.415 3.414H4.828c-1.782 0-2.674-2.154-1.414-3.414l5-5A2 2 0 009 10.172V5L8 4z"></path>
</svg>
安全测试
</button>
<button onclick="switchTab('release')" class="py-4 px-1 inline-flex items-center text-sm font-medium">
<svg class="w-5 h-5 mr-2" fill="none" stroke="currentColor" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M5 12h14M5 12a2 2 0 01-2-2V6a2 2 0 012-2h14a2 2 0 012 2v4a2 2 0 01-2 2M5 12a2 2 0 00-2 2v4a2 2 0 002 2h14a2 2 0 002-2v-4a2 2 0 00-2-2m-2-4h.01M17 16h.01"></path>
</svg>
发布检查
</button>
<button onclick="switchTab('production')" class="py-4 px-1 inline-flex items-center text-sm font-medium">
<svg class="w-5 h-5 mr-2" fill="none" stroke="currentColor" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M9 12l2 2 4-4m5.618-4.016A11.955 11.955 0 0112 2.944a11.955 11.955 0 01-8.618 3.04A12.02 12.02 0 003 9c0 5.591 3.824 10.29 9 11.622 5.176-1.332 9-6.03 9-11.622 0-1.042-.133-2.052-.382-3.016z"></path>
</svg>
线上监控
</button>
</nav>
</div>
<!-- Tab Contents -->
<div>
<!-- Requirements Tab -->
<div id="requirements" class="tab-content active">
<div class="content-container">
<!-- Left Panel - Requirements Content -->
<div class="content-panel bg-white">
<h3 class="text-lg font-medium text-gray-800 mb-4">需求文档内容</h3>
<div class="prose max-w-none">
<p>支付宝国补项目旨在为政府补贴发放提供数字化解决方案,通过支付宝平台实现补贴的精准发放和核销。</p>
<h4>1. 项目背景</h4>
<p>随着政府数字化转型的推进,各类补贴发放需要更加高效、透明和可追溯的解决方案...</p>
<h4>2. 功能需求</h4>
<p class="highlight-risk">2.1 用户认证与授权</p>
<p>系统需要支持多级用户角色,包括普通用户、商户用户、政府管理员等。用户通过支付宝账号登录后,系统应根据用户类型显示不同功能模块。</p>
<p class="highlight-risk">2.2 补贴申请与审批</p>
<p>用户可以在线提交补贴申请,上传相关证明材料。政府管理员后台可以审批这些申请,审批通过后补贴金额将直接发放到用户支付宝账户。</p>
<p>2.3 补贴核销</p>
<p>用户在指定商户消费时,可以使用补贴金额进行支付。商户通过扫码枪扫描用户付款码完成交易...</p>
<h4>3. 技术架构</h4>
<div class="mermaid">
graph TD
A[用户端] -->|HTTPS| B(API Gateway)
B --> C[认证服务]
B --> D[补贴服务]
B --> E[支付服务]
D --> F[(MySQL)]
E --> G[(Redis)]
C --> H[(LDAP)]
style D stroke:#ef4444,stroke-width:2px
style C stroke:#ef4444,stroke-width:2px
</div>
<h4>4. 数据安全</h4>
<p>所有敏感数据传输必须加密,存储数据需要脱敏处理...</p>
<p>5. 性能要求</p>
<p>系统需要支持每秒1000+的并发请求,响应时间在500ms以内...</p>
</div>
</div>
<!-- Right Panel - Security Analysis -->
<div class="content-panel bg-white">
<h3 class="text-lg font-medium text-gray-800 mb-4">安全分析结果</h3>
<div class="mb-6">
<h4 class="font-medium text-gray-700 mb-2">STRIDE 威胁建模</h4>
<div class="mermaid">
graph LR
subgraph 支付宝国补系统
A[用户认证] -->|Spoofing| B(冒充管理员)
A -->|Tampering| C(篡改认证令牌)
D[补贴审批] -->|Information Disclosure| E(查看他人申请)
D -->|Elevation of Privilege| F(普通用户执行审批)
end
style B fill:#fee2e2,stroke:#ef4444
style E fill:#fee2e2,stroke:#ef4444
style F fill:#fee2e2,stroke:#ef4444
</div>
</div>
<div class="space-y-4">
<div class="risk-critical p-4 rounded-lg">
<h4 class="font-medium mb-2">风险点: 用户权限控制不足</h4>
<div class="grid grid-cols-2 gap-2 text-sm">
<div>
<p class="text-gray-600">业务场景:</p>
<p>用户认证与授权功能</p>
</div>
<div>
<p class="text-gray-600">风险类型:</p>
<p>越权访问(EoP)</p>
</div>
<div>
<p class="text-gray-600">风险点:</p>
<p>角色权限划分不明确</p>
</div>
<div>
<p class="text-gray-600">严重程度:</p>
<p>高危</p>
</div>
</div>
<div class="mt-2">
<p class="text-gray-600">整改建议:</p>
<p>1. 明确定义各角色权限边界<br>2. 实现基于RBAC的权限控制系统<br>3. 所有敏感操作增加权限校验</p>
</div>
<button onclick="highlightText('2.1 用户认证与授权')" class="mt-2 text-blue-600 text-sm hover:underline">
定位到需求文档
</button>
</div>
<div class="risk-high p-4 rounded-lg">
<h4 class="font-medium mb-2">风险点: 敏感信息泄露</h4>
<div class="grid grid-cols-2 gap-2 text-sm">
<div>
<p class="text-gray-600">业务场景:</p>
<p>补贴申请与审批</p>
</div>
<div>
<p class="text-gray-600">风险类型:</p>
<p>信息泄露(ID)</p>
</div>
<div>
<p class="text-gray-600">风险点:</p>
<p>审批流程可查看他人申请</p>
</div>
<div>
<p class="text-gray-600">严重程度:</p>
<p>中高危</p>
</div>
</div>
<div class="mt-2">
<p class="text-gray-600">整改建议:</p>
<p>1. 实现数据级权限控制<br>2. 审批列表过滤只显示有权限的数据<br>3. 敏感字段脱敏处理</p>
</div>
<button onclick="highlightText('2.2 补贴申请与审批')" class="mt-2 text-blue-600 text-sm hover:underline">
定位到需求文档
</button>
</div>
</div>
</div>
</div>
</div>
<!-- Code Tab -->
<div id="code" class="tab-content">
<div class="content-container">
<!-- Left Panel - Code Content -->
<div class="content-panel bg-white">
<div class="flex justify-between items-center mb-4">
<h3 class="text-lg font-medium text-gray-800">代码内容</h3>
<div class="flex space-x-2">
<select class="border rounded px-2 py-1 text-sm">
<option>OrderService.java</option>
<option>UserService.java</option>
<option>AuthController.java</option>
</select>
<button class="bg-blue-100 text-blue-800 px-3 py-1 rounded text-sm">
全部展开
</button>
</div>
</div>
<div class="code-block">
<pre><code class="language-java">package com.alipay.subsidy.service;
import java.sql.*;
import java.util.List;
public class OrderService {
private Connection conn;
public OrderService() {
try {
conn = DriverManager.getConnection(
"jdbc:mysql://localhost:3306/subsidy",
"root",
"password"
);
} catch (SQLException e) {
e.printStackTrace();
}
}
public List&lt;Order&gt; getOrdersByUserId(String userId) {
List&lt;Order&gt; orders = new ArrayList&lt;&gt;();
try {
// 漏洞点: SQL注入风险
<span id="vuln-line-1" class="vulnerable-line">Statement stmt = conn.createStatement();
ResultSet rs = stmt.executeQuery("SELECT * FROM orders WHERE user_id = '" + userId + "'");</span>
while (rs.next()) {
Order order = new Order();
order.setId(rs.getString("id"));
order.setAmount(rs.getBigDecimal("amount"));
orders.add(order);
}
} catch (SQLException e) {
e.printStackTrace();
}
return orders;
}
public Order getOrderById(String orderId) {
Order order = null;
try {
// 漏洞点: 越权访问风险
<span id="vuln-line-2" class="vulnerable-line">Statement stmt = conn.createStatement();
ResultSet rs = stmt.executeQuery("SELECT * FROM orders WHERE id = '" + orderId + "'");</span>
if (rs.next()) {
order = new Order();
order.setId(rs.getString("id"));
order.setUserId(rs.getString("user_id"));
order.setAmount(rs.getBigDecimal("amount"));
}
} catch (SQLException e) {
e.printStackTrace();
}
return order;
}
public void updateOrderStatus(String orderId, String status) {
try {
// 漏洞点: 缺乏权限校验
<span id="vuln-line-3" class="vulnerable-line">PreparedStatement pstmt = conn.prepareStatement(
"UPDATE orders SET status = ? WHERE id = ?"
);
pstmt.setString(1, status);
pstmt.setString(2, orderId);
pstmt.executeUpdate();</span>
} catch (SQLException e) {
e.printStackTrace();
}
}
}</code></pre>
</div>
</div>
<!-- Right Panel - Security Analysis -->
<div class="content-panel bg-white">
<h3 class="text-lg font-medium text-gray-800 mb-4">安全分析结果</h3>
<div class="space-y-4">
<div class="risk-critical p-4 rounded-lg">
<div class="flex justify-between items-start">
<div>
<h4 class="font-medium mb-1">SQL注入漏洞</h4>
<p class="text-sm text-gray-600">OrderService.java - getOrdersByUserId()</p>
</div>
<span class="bg-red-600 text-white text-xs px-2 py-0.5 rounded-full">高危</span>
</div>
<div class="mt-2 grid grid-cols-2 gap-2 text-sm">
<div>
<p class="text-gray-600">漏洞类型:</p>
<p>SQL注入</p>
</div>
<div>
<p class="text-gray-600">风险接口:</p>
<p>/api/orders?userId={userId}</p>
</div>
</div>
<div class="mt-2">
<p class="text-gray-600">漏洞描述:</p>
<p class="text-sm">直接拼接用户输入的userId到SQL查询中,攻击者可以构造恶意输入执行任意SQL命令。</p>
</div>
<div class="mt-2">
<p class="text-gray-600">漏洞代码:</p>
<button onclick="highlightCode('vuln-line-1')" class="text-blue-600 text-sm hover:underline">
定位到代码
</button>
</div>
<div class="mt-2">
<p class="text-gray-600">修复建议:</p>
<pre class="bg-gray-100 p-2 rounded text-sm"><code>// 使用预编译语句修复
PreparedStatement pstmt = conn.prepareStatement(
"SELECT * FROM orders WHERE user_id = ?"
);
pstmt.setString(1, userId);
ResultSet rs = pstmt.executeQuery();</code></pre>
</div>
</div>
<div class="risk-high p-4 rounded-lg">
<div class="flex justify-between items-start">
<div>
<h4 class="font-medium mb-1">越权访问漏洞</h4>
<p class="text-sm text-gray-600">OrderService.java - getOrderById()</p>
</div>
<span class="bg-orange-500 text-white text-xs px-2 py-0.5 rounded-full">中高危</span>
</div>
<div class="mt-2 grid grid-cols-2 gap-2 text-sm">
<div>
<p class="text-gray-600">漏洞类型:</p>
<p>水平越权</p>
</div>
<div>
<p class="text-gray-600">风险接口:</p>
<p>/api/orders/{orderId}</p>
</div>
</div>
<div class="mt-2">
<p class="text-gray-600">漏洞描述:</p>
<p class="text-sm">接口直接根据orderId查询订单信息,没有校验当前用户是否有权限访问该订单。</p>
</div>
<div class="mt-2">
<p class="text-gray-600">漏洞代码:</p>
<button onclick="highlightCode('vuln-line-2')" class="text-blue-600 text-sm hover:underline">
定位到代码
</button>
</div>
<div class="mt-2">
<p class="text-gray-600">修复建议:</p>
<pre class="bg-gray-100 p-2 rounded text-sm"><code>// 增加权限校验
Order order = getOrderById(orderId);
if (order != null && !order.getUserId().equals(currentUserId)) {
throw new AccessDeniedException("无权访问该订单");
}
return order;</code></pre>
</div>
</div>
</div>
</div>
</div>
</div>
<!-- Security Testing Tab -->
<div id="testing" class="tab-content">
<div class="content-container">
<!-- Left Panel - Testing Content -->
<div class="content-panel bg-white">
<h3 class="text-lg font-medium text-gray-800 mb-4">测试用例与Payload</h3>
<div class="space-y-6">
<div>
<h4 class="font-medium mb-2">测试接口: /api/orders/{orderId}</h4>
<div class="code-block">
<pre><code class="language-http">GET /api/orders/1001 HTTP/1.1
Host: api.alipay-subsidy.com
Authorization: Bearer user1_token
Accept: application/json</code></pre>
</div>
<div class="mt-2">
<h5 class="font-medium text-sm mb-1">测试Payload:</h5>
<div class="code-block">
<pre><code class="language-http"># 修改orderId尝试访问他人订单
GET /api/orders/1002 HTTP/1.1
Host: api.alipay-subsidy.com
Authorization: Bearer user1_token
Accept: application/json
GET /api/orders/1003 HTTP/1.1
Host: api.alipay-subsidy.com
Authorization: Bearer user1_token
Accept: application/json</code></pre>
</div>
</div>
<div class="mt-2">
<h5 class="font-medium text-sm mb-1">测试结果:</h5>
<div class="code-block">
<pre><code class="language-json">{
"id": "1002",
"userId": "user2",
"amount": 150.00,
"items": [
{"name": "商品A", "price": 50.00},
{"name": "商品B", "price": 100.00}
]
}</code></pre>
</div>
</div>
</div>
<div>
<h4 class="font-medium mb-2">测试接口: /api/orders?userId={userId}</h4>
<div class="code-block">
<pre><code class="language-http">GET /api/orders?userId=user1 HTTP/1.1
Host: api.alipay-subsidy.com
Authorization: Bearer user1_token
Accept: application/json</code></pre>
</div>
<div class="mt-2">
<h5 class="font-medium text-sm mb-1">SQL注入Payload:</h5>
<div class="code-block">
<pre><code class="language-http"># 基础注入测试
GET /api/orders?userId=user1' OR '1'='1 HTTP/1.1
Host: api.alipay-subsidy.com
Authorization: Bearer user1_token
Accept: application/json
# 联合查询获取其他表数据
GET /api/orders?userId=user1' UNION SELECT 1,username,password FROM users-- HTTP/1.1
Host: api.alipay-subsidy.com
Authorization: Bearer user1_token
Accept: application/json</code></pre>
</div>
</div>
<div class="mt-2">
<h5 class="font-medium text-sm mb-1">测试结果:</h5>
<div class="code-block">
<pre><code class="language-json">{
"error": "Internal Server Error",
"status": 500,
"message": "Error executing SQL query"
}</code></pre>
</div>
</div>
</div>
</div>
</div>
<!-- Right Panel - Security Analysis -->
<div class="content-panel bg-white">
<h3 class="text-lg font-medium text-gray-800 mb-4">安全测试分析</h3>
<div class="space-y-4">
<div class="risk-high p-4 rounded-lg">
<div class="flex justify-between items-start">
<div>
<h4 class="font-medium mb-1">水平越权漏洞</h4>
<p class="text-sm text-gray-600">订单信息越权访问</p>
</div>
<span class="bg-orange-500 text-white text-xs px-2 py-0.5 rounded-full">中高危</span>
</div>
<div class="mt-2">
<p class="text-gray-600">风险接口:</p>
<p class="text-sm font-mono">/api/orders/{orderId}</p>
</div>
<div class="mt-2">
<p class="text-gray-600">风险描述:</p>
<p class="text-sm">攻击者可以通过修改orderId参数访问其他用户的订单信息,导致敏感数据泄露。</p>
</div>
<div class="mt-2">
<p class="text-gray-600">攻击手法:</p>
<ol class="list-decimal list-inside text-sm space-y-1">
<li>攻击者登录自己的账号,获取一个合法的订单ID(如1001)</li>
<li>修改请求中的orderid参数,尝试访问其他订单ID(如1002、1003等)</li>
<li>服务器未进行权限校验,攻击者成功获取其他用户的订单信息</li>
<li>通过自动化工具(如Burp Suite或脚本),批量枚举订单ID获取大量用户数据</li>
</ol>
</div>
<div class="mt-2">
<p class="text-gray-600">修复建议:</p>
<p class="text-sm">1. 服务端增加订单所属用户校验<br>2. 实现数据级权限控制<br>3. 对订单ID增加访问频率限制</p>
</div>
</div>
<div class="risk-critical p-4 rounded-lg">
<div class="flex justify-between items-start">
<div>
<h4 class="font-medium mb-1">SQL注入漏洞</h4>
<p class="text-sm text-gray-600">订单查询SQL注入</p>
</div>
<span class="bg-red-600 text-white text-xs px-2 py-0.5 rounded-full">高危</span>
</div>
<div class="mt-2">
<p class="text-gray-600">风险接口:</p>
<p class="text-sm font-mono">/api/orders?userId={userId}</p>
</div>
<div class="mt-2">
<p class="text-gray-600">风险描述:</p>
<p class="text-sm">接口存在SQL注入漏洞,攻击者可以构造恶意输入执行任意SQL命令,可能导致数据库信息泄露甚至服务器被控制。</p>
</div>
<div class="mt-2">
<p class="text-gray-600">攻击Payload:</p>
<div class="code-block">
<pre><code class="language-sql">user1' UNION SELECT 1,username,password FROM users--</code></pre>
</div>
</div>
<div class="mt-2">
<p class="text-gray-600">修复建议:</p>
<p class="text-sm">1. 使用预编译语句(PreparedStatement)替代字符串拼接<br>2. 实施输入验证和参数化查询<br>3. 限制数据库账户权限</p>
</div>
</div>
</div>
</div>
</div>
</div>
<!-- Release Check Tab -->
<div id="release" class="tab-content">
<div class="content-container">
<!-- Left Panel - Release Content -->
<div class="content-panel bg-white">
<h3 class="text-lg font-medium text-gray-800 mb-4">发布安全检查</h3>
<div class="space-y-4">
<div class="p-4 border rounded-lg">
<h4 class="font-medium mb-2">安全检查项</h4>
<div class="space-y-3">
<div class="flex items-center">
<svg class="w-5 h-5 text-green-500 mr-2" fill="none" stroke="currentColor" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M5 13l4 4L19 7"></path>
</svg>
<span>代码静态扫描通过</span>
</div>
<div class="flex items-center">
<svg class="w-5 h-5 text-green-500 mr-2" fill="none" stroke="currentColor" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M5 13l4 4L19 7"></path>
</svg>
<span>依赖库无已知漏洞</span>
</div>
<div class="flex items-center">
<svg class="w-5 h-5 text-red-500 mr-2" fill="none" stroke="currentColor" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M6 18L18 6M6 6l12 12"></path>
</svg>
<span>越权风险未完全修复</span>
</div>
<div class="flex items-center">
<svg class="w-5 h-5 text-yellow-500 mr-2" fill="none" stroke="currentColor" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-3L13.732 4c-.77-1.333-2.694-1.333-3.464 0L3.34 16c-.77 1.333.192 3 1.732 3z"></path>
</svg>
<span>SQL注入风险部分修复</span>
</div>
</div>
</div>
<div class="p-4 border rounded-lg">
<h4 class="font-medium mb-2">发布检查记录</h4>
<div class="text-sm space-y-2">
<div class="flex justify-between">
<span>2023-06-10 14:30</span>
<span class="text-red-600">安全检查不通过</span>
</div>
<div class="flex justify-between">
<span>2023-06-12 09:15</span>
<span class="text-yellow-500">部分风险未修复</span>
</div>
<div class="flex justify-between">
<span>2023-06-14 16:45</span>
<span class="text-yellow-500">关键风险仍存在</span>
</div>
</div>
</div>
<div class="p-4 border rounded-lg">
<h4 class="font-medium mb-2">发布决策</h4>
<div class="flex items-center">
<svg class="w-5 h-5 text-red-500 mr-2" fill="none" stroke="currentColor" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M6 18L18 6M6 6l12 12"></path>
</svg>
<span class="font-medium">拒绝发布</span>
</div>
<p class="text-sm mt-2">存在未修复的高危风险,不符合安全发布标准。请修复所有高风险问题后重新申请发布。</p>
</div>
</div>
</div>
<!-- Right Panel - Security Analysis -->
<div class="content-panel bg-white">
<h3 class="text-lg font-medium text-gray-800 mb-4">未修复风险分析</h3>
<div class="space-y-4">
<div class="risk-critical p-4 rounded-lg">
<div class="flex justify-between items-start">
<div>
<h4 class="font-medium mb-1">需求环节: 越权访问风险</h4>
<p class="text-sm text-gray-600">用户权限控制不足</p>
</div>
<span class="bg-red-600 text-white text-xs px-2 py-0.5 rounded-full">未修复</span>
</div>
<div class="mt-2 text-sm">
<p>风险描述: 用户权限校验不足,可能导致越权访问敏感数据</p>
<p class="mt-1">影响范围: 补贴审批、订单查询等核心功能</p>
</div>
<div class="mt-2">
<p class="text-gray-600">修复进度:</p>
<div class="w-full bg-gray-200 rounded-full h-2.5 mt-1">
<div class="bg-red-600 h-2.5 rounded-full" style="width: 20%"></div>
</div>
<p class="text-xs mt-1 text-gray-600">仅完成需求分析,未进行代码实现</p>
</div>
</div>
<div class="risk-high p-4 rounded-lg">
<div class="flex justify-between items-start">
<div>
<h4 class="font-medium mb-1">代码环节: SQL注入风险</h4>
<p class="text-sm text-gray-600">OrderService.java</p>
</div>
<span class="bg-orange-500 text-white text-xs px-2 py-0.5 rounded-full">部分修复</span>
</div>
<div class="mt-2 text-sm">
<p>风险描述: 直接拼接SQL语句,存在注入风险</p>
<p class="mt-1">影响接口: /api/orders?userId={userId}</p>
</div>
<div class="mt-2">
<p class="text-gray-600">修复进度:</p>
<div class="w-full bg-gray-200 rounded-full h-2.5 mt-1">
<div class="bg-orange-500 h-2.5 rounded-full" style="width: 70%"></div>
</div>
<p class="text-xs mt-1 text-gray-600">主接口已修复,但部分边缘接口仍存在风险</p>
</div>
</div>
<div class="risk-medium p-4 rounded-lg">
<div class="flex justify-between items-start">
<div>
<h4 class="font-medium mb-1">安全测试: 水平越权</h4>
<p class="text-sm text-gray-600">订单信息越权访问</p>
</div>
<span class="bg-yellow-500 text-white text-xs px-2 py-0.5 rounded-full">已修复待验证</span>
</div>
<div class="mt-2 text-sm">
<p>风险描述: 通过修改orderid参数可访问他人订单信息</p>
<p class="mt-1">影响接口: /api/orders/{orderId}</p>
</div>
<div class="mt-2">
<p class="text-gray-600">修复进度:</p>
<div class="w-full bg-gray-200 rounded-full h-2.5 mt-1">
<div class="bg-yellow-500 h-2.5 rounded-full" style="width: 90%"></div>
</div>
<p class="text-xs mt-1 text-gray-600">代码已修复,等待安全团队验证</p>
</div>
</div>
</div>
</div>
</div>
</div>
<!-- Production Monitoring Tab -->
<div id="production" class="tab-content">
<div class="content-container">
<!-- Left Panel - Production Content -->
<div class="content-panel bg-white">
<h3 class="text-lg font-medium text-gray-800 mb-4">线上监控数据</h3>
<div class="space-y-6">
<div>
<h4 class="font-medium mb-2">安全事件记录</h4>
<div class="border rounded-lg overflow-hidden">
<table class="min-w-full divide-y divide-gray-200">
<thead class="bg-gray-50">
<tr>
<th class="px-4 py-2 text-left text-xs font-medium text-gray-500 uppercase">时间</th>
<th class="px-4 py-2 text-left text-xs font-medium text-gray-500 uppercase">事件类型</th>
<th class="px-4 py-2 text-left text-xs font-medium text-gray-500 uppercase">状态</th>
</tr>
</thead>
<tbody class="bg-white divide-y divide-gray-200">
<tr>
<td class="px-4 py-2 whitespace-nowrap text-sm text-gray-900">2023-06-08 03:15</td>
<td class="px-4 py-2 whitespace-nowrap text-sm text-gray-900">异常登录尝试</td>
<td class="px-4 py-2 whitespace-nowrap">
<span class="px-2 py-1 text-xs rounded-full bg-green-100 text-green-800">已处理</span>
</td>
</tr>
<tr>
<td class="px-4 py-2 whitespace-nowrap text-sm text-gray-900">2023-06-10 14:30</td>
<td class="px-4 py-2 whitespace-nowrap text-sm text-gray-900">SQL注入攻击</td>
<td class="px-4 py-2 whitespace-nowrap">
<span class="px-2 py-1 text-xs rounded-full bg-red-100 text-red-800">待修复</span>
</td>
</tr>
<tr>
<td class="px-4 py-2 whitespace-nowrap text-sm text-gray-900">2023-06-12 09:15</td>
<td class="px-4 py-2 whitespace-nowrap text-sm text-gray-900">批量订单查询</td>
<td class="px-4 py-2 whitespace-nowrap">
<span class="px-2 py-1 text-xs rounded-full bg-yellow-100 text-yellow-800">监控中</span>
</td>
</tr>
</tbody>
</table>
</div>
</div>
<div>
<h4 class="font-medium mb-2">风险趋势</h4>
<div class="border rounded-lg p-4">
<div class="flex items-center justify-center h-64">
<p class="text-gray-500">风险趋势图表区域</p>
</div>
</div>
</div>
</div>
</div>
<!-- Right Panel - Security Analysis -->
<div class="content-panel bg-white">
<h3 class="text-lg font-medium text-gray-800 mb-4">线上风险分析</h3>
<div class="space-y-4">
<div class="risk-critical p-4 rounded-lg">
<div class="flex justify-between items-start">
<div>
<h4 class="font-medium mb-1">SQL注入攻击</h4>
<p class="text-sm text-gray-600">2023-06-10 14:30</p>
</div>
<span class="bg-red-600 text-white text-xs px-2 py-0.5 rounded-full">高危</span>
</div>
<div class="mt-2 text-sm">
<p>攻击描述: 攻击者尝试通过userId参数注入SQL命令</p>
<p class="mt-1">攻击Payload: <code class="bg-gray-100 px-1 rounded">user1' UNION SELECT 1,username,password FROM users--</code></p>
<p class="mt-1">影响范围: 订单查询接口</p>
</div>
<div class="mt-2">
<p class="text-gray-600">修复情况:</p>
<div class="flex items-center mt-1">
<svg class="w-5 h-5 text-yellow-500 mr-1" fill="none" stroke="currentColor" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-3L13.732 4c-.77-1.333-2.694-1.333-3.464 0L3.34 16c-.77 1.333.192 3 1.732 3z"></path>
</svg>
<span>已热修复,待版本更新</span>
</div>
</div>
</div>
<div class="risk-high p-4 rounded-lg">
<div class="flex justify-between items-start">
<div>
<h4 class="font-medium mb-1">批量订单查询</h4>
<p class="text-sm text-gray-600">2023-06-12 09:15</p>
</div>
<span class="bg-orange-500 text-white text-xs px-2 py-0.5 rounded-full">中高危</span>
</div>
<div class="mt-2 text-sm">
<p>攻击描述: 同一IP在短时间内发起大量订单查询请求</p>
<p class="mt-1">请求频率: 120次/分钟</p>
<p class="mt-1">影响范围: 订单查询接口</p>
</div>
<div class="mt-2">
<p class="text-gray-600">处理措施:</p>
<ol class="list-decimal list-inside text-sm space-y-1 mt-1">
<li>已临时封禁攻击IP</li>
<li>增加接口频率限制(60次/分钟)</li>
<li>增加异常行为监控告警</li>
</ol>
</div>
</div>
<div class="risk-medium p-4 rounded-lg">
<div class="flex justify-between items-start">
<div>
<h4 class="font-medium mb-1">异常登录尝试</h4>
<p class="text-sm text-gray-600">2023-06-08 03:15</p>
</div>
<span class="bg-yellow-500 text-white text-xs px-2 py-0.5 rounded-full">中危</span>
</div>
<div class="mt-2 text-sm">
<p>攻击描述: 来自异常地理位置的登录尝试</p>
<p class="mt-1">攻击IP: 192.168.34.56 (俄罗斯)</p>
<p class="mt-1">攻击方式: 密码爆破</p>
</div>
<div class="mt-2">
<p class="text-gray-600">处理结果:</p>
<div class="flex items-center mt-1">
<svg class="w-5 h-5 text-green-500 mr-1" fill="none" stroke="currentColor" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M5 13l4 4L19 7"></path>
</svg>
<span>已阻止,账户安全</span>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<script>
// Initialize Mermaid with proper configuration
mermaid.initialize({
startOnLoad: true,
theme: 'default',
flowchart: {
useMaxWidth: true,
htmlLabels: true
},
securityLevel: 'loose',
themeCSS: `
.risk-marker {
fill: #ef4444;
stroke: #ef4444;
}
`
});
// Re-render Mermaid diagrams when tab is switched
function renderMermaidDiagrams() {
const mermaidElements = document.querySelectorAll('.mermaid');
mermaidElements.forEach(el => {
// Only render if not already rendered
if (!el.querySelector('svg')) {
const graphDefinition = el.textContent.trim();
try {
mermaid.init(undefined, el);
} catch (e) {
console.error('Mermaid rendering error:', e);
}
}
});
}
// Initialize Highlight.js
document.addEventListener('DOMContentLoaded', (event) => {
document.querySelectorAll('pre code').forEach((el) => {
hljs.highlightElement(el);
});
// Initial render of Mermaid diagrams
renderMermaidDiagrams();
});
// Switch tabs
function switchTab(tabId) {
// Hide all tab contents
document.querySelectorAll('.tab-content').forEach(tab => {
tab.classList.remove('active');
});
// Remove active class from all tabs
document.querySelectorAll('.nav-tabs button').forEach(tab => {
tab.classList.remove('active');
});
// Show selected tab content
document.getElementById(tabId).classList.add('active');
// Add active class to clicked tab
event.currentTarget.classList.add('active');
// Render Mermaid diagrams in the newly shown tab
setTimeout(renderMermaidDiagrams, 100);
}
// Highlight text in requirements
function highlightText(text) {
const elements = document.querySelectorAll('.highlight-risk');
elements.forEach(el => {
el.classList.remove('highlight-risk');
});
// Simple text matching for demonstration
const allElements = document.querySelectorAll('#requirements p, #requirements h4');
allElements.forEach(el => {
if (el.textContent.includes(text)) {
el.classList.add('highlight-risk');
el.scrollIntoView({ behavior: 'smooth', block: 'center' });
}
});
}
// Highlight code line
function highlightCode(lineId) {
const elements = document.querySelectorAll('.vulnerable-line');
elements.forEach(el => {
el.classList.remove('vulnerable-line-highlight');
});
const targetElement = document.getElementById(lineId);
if (targetElement) {
targetElement.classList.add('vulnerable-line-highlight');
targetElement.scrollIntoView({ behavior: 'smooth', block: 'center' });
}
}
</script>
<p style="border-radius: 8px; text-align: center; font-size: 12px; color: #fff; margin-top: 16px;position: fixed; left: 8px; bottom: 8px; z-index: 10; background: rgba(0, 0, 0, 0.8); padding: 4px 8px;">Made with <img src="https://enzostvs-deepsite.hf.space/logo.svg" alt="DeepSite Logo" style="width: 16px; height: 16px; vertical-align: middle;display:inline-block;margin-right:3px;filter:brightness(0) invert(1);"><a href="https://enzostvs-deepsite.hf.space" style="color: #fff;text-decoration: underline;" target="_blank" >DeepSite</a> - 🧬 <a href="https://enzostvs-deepsite.hf.space?remix=capta1n/project8" style="color: #fff;text-decoration: underline;" target="_blank" >Remix</a></p></body>
</html>